My current laptop setup is a dual boot Linux Fedora 10 and Windows Vista Ultimate. I mostly use Linux but having windows comes handy in various situations. The linux-windows dual boot is nothing new; what’s new (for me) however is implementing partition encryption on such a setup. Nothing too tricky but fun to contemplate. Here’s the story off the top of my head.

I first installed Linux (by booting to its installation DVD) having it create its standard hard disk layout. This layout consists of 2 partitions:

• a tiny one which will be the boot partition and
• a larger one that will be managed by the logical volume manager. By default, LVM creates two logical drives there:
  • a small one to be used as the swap area for the OS
  • a big one which will host the main filesystem

There were three deviations from the default options in the setup however:

• I placed the boot loader on the first sector of the boot partition (there’s an option for that). So now, the BIOS loads the stage 1 boot loader off the MBR, which checks the partition table, also in the MBR, finds the active primary partition (by convention there can be only one active partition out of usually four maximum primary partitions) and load the stage 2 boot loader (in this case GRUB) off its first sector. GRUB then loads the kernel, etc. The default for Fedora is to put both stage 1 and stage 2 boot loaders in the MBR, only in this case MBR refers either to the first sector in a hard disk that has sectors larger than 512 bytes or to the whole first track of the disk which is traditionally not allocated to any partition. For boot process details see here.
• I manually shrinked the larger partition by 30GB, to be used by the upcoming windows installation. The 30GB were actually left unallocated (not part of any partition)
• I asked Linux setup to encrypt the larger partition it created. The boot partition cannot be encrypted. Also note that although, at this point, you can opt for full HDD encryption, this will make it very hard to install windows later.

After finishing with the Linux installation I booted using the windows installation DVD. Windows lets you create new partitions on unallocated space and this is what I did with the 30Gb of unallocated disk space I  had reserved earlier, eventually having windows Vista install there.

After Windows installation, the MBR links to the windows second stage boot loader, simply because windows has set its own partition as the active one. At this point you have two options:

• Either manipulate the Windows Vista Boot Manager (NTLDR does not exist in Vista) to present the option of loading Linux.
• Or do what I did, boot your laptop/PC to the Linux installation CD/DVD or any Linux Live CD/DVD and go to the command line. From there you can invoke fdisk and easily change the active partition to Linux’s boot. Then configure GRUB appropriately (e.g. edit the /boot/grub/menu.lst file as described here). In my case things were actually easier as my linux installation was actually done over an already existing identical HDD partition structure (I was experimenting with stuff) that had Windows Vista already installed; therefore the Linux installer detected it and automatically set up GRUB to offer menu options for booting to both OSs.

Given all of the above, when it comes to the suggested sequence of actions for setting up a linux+windows dual boot box, here’s what one should do:

• First install windows (because Linux can detect other OSs and can actually auto-configure GRUB for dual or multi-boot)
• Boot to windows installation CD/DVD
• Clear all existing HD partitions
• Create a partition for windows and leave rest of space unallocated
• Proceed with installing windows on that partition
• Then install linux
• Boot to linux installation CD/DVD
• Use unallocated space to create suggested/default linux partition and logical drive structure
• Linux will detect existing Windows or other OSs and configure GRUB for multi-boot
• Proceed with actually installing Linux
• If after rebooting you don’t get the GRUB boot menu and instead you boot directly to windows (and this is most likely to occur if you asked linux installation to place GRUB on the first sector of the boot partition) just boot to the linux installation CD/DVD or any linux live CD/DVD and go to the command line (usually under ‘system rescue’ options). There, invoke fdisk and simply make sure that there is only one active primary partition and that this partition is the partition where GRUB is located (e.g. the boot partition)

After installing my Windows (Windows Vista Ultimate) the only thing missing was encrypting the disk partition where windows was installed. Windows Vista Ultimate actually comes bundled with Bitlocker, a full hard disk or partition encryption utility. I wanted to use it, especially because it integrates with TPM based authentication, meaning that you can perform an SSO (Single sign On) using the Trusted Platform Module and then have the TPM log in and unlock things like BIOS boot up passwords, Drivelock passwords, encrypted hard disks or partitions passwords and even OS credentials. However, for some reason, Bitlocker was not working in my case (Bitlocker preparation tool would give me weird errors before starting its work, perhaps because of the non-standard disk partition structure).

Thankfully Bitlocker is not the only option for Windows hard drive encryption. TrueCrypt is a pretty good solution as well and in fact, although it won’t presently integrate with a TPM, it is much more exciting and flexible from a cryptography point of view. Coolest thing of all, it will encrypt your windows partition on the fly (while you work). A slight problem is that it actually goes and changes the MBR code and asks you for the encrypted partition password even if you are not going to boot that partition but other than that it works pretty well.

After doing all of the above and before setting up my TPM I actually had to perform the following authentications in order to boot and login to my Linux OS:

• Provide start-up BIOS password
• Provide Drivelock password
• Provide TrueCrypt Password
• Provide Linux encrypted partition password
• Provide my Linux account credentials (user/pass)

After activating my TPM and because my BIOS supports TPM SSO for all its security features, I only have to do the following:

• Provide TPM password
• Provide TrueCrypt Password
• Provide Linux encrypted partition password
• Provide my Linux account credentials (user/pass)

If i am actually logging into my windows this becomes a three step process as TPM takes care of the Windows login. Using your smart card reader and fingerprint sensor you can also require multi-factor authentication for SSO to work.